b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n   RELIABILITY AND ACCURACY OF THE\n   SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n       EXHIBIT 300 SUBMISSIONS TO\n THE OFFICE OF MANAGEMENT AND BUDGET\n\n    September 2008   A-14-08-18018\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                           SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 30, 2008                                                                 Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Reliability and Accuracy of the Social Security Administration\xe2\x80\x99s Exhibit 300 Submissions\n           to the Office of Management and Budget (A-14-08-18018)\n\n\n           OBJECTIVE\n\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           Exhibit 300 submissions to the Office of Management and Budget (OMB) for its\n           Information Technology (IT) projects were based on reliable and accurate data and\n           information.\n\n           BACKGROUND\n\n           Federal agencies are required to effectively manage their capital assets to ensure\n           scarce public resources are wisely invested. OMB plays a key role in determining the\n           amount the Government will spend for IT and how these funds will be allocated. 1 A key\n           component of OMB\xe2\x80\x99s management and oversight of the IT budget process is the\n           Capital Asset Plan and Business Case, also known as the Exhibit 300. OMB designed\n           the Exhibit 300 as the one-stop document for many IT management issues, including\n           business cases for investments, IT security reporting, modernization efforts and overall\n           investment management. 2 Exhibit 300 is used to help make important IT management\n           decisions and choices.\n\n\n\n\n           1\n            Government Accountability Office, GAO-06-250, Information Technology, Agencies Need to Improve the\n           Accuracy and Reliability of Investment Information, page 1, January 2006.\n           2\n            OMB Circular No. A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets,\n           Section 300.6, page 6, July 2007.\n\x0cPage 2 - The Commissioner\n\n\nEach year, Federal agencies submit Exhibits 300 to OMB for budget justification and to\nsatisfy reporting requirements 3 for all major IT investments. 4 The Exhibit\xe2\x80\x99s content\nshould reflect controls agencies have established to ensure good project management,\nas well as show that they have defined cost, schedule, and performance goals. 5 OMB\nrelies on the accuracy and completeness of the information reported in the Exhibits 300\nfor budget decisionmaking. 6 Exhibits 300, submitted at the end of Fiscal Year (FY)\n2007, were for the FY 2009 budget request. In the FY 2007 Exhibit 300 submission,\nFY 2007 was considered the prior year, FY 2008 was the current year and FY 2009 was\nthe budget year.\n\nAt SSA, the Offices of the Chief Information Officer (OCIO) and Systems (OS) manage\nand lead the Exhibit 300 preparation and review process. This process integrates the\ndecisions of SSA\xe2\x80\x99s IT capital planning and budgeting processes. In May of each year,\nproject management teams from SSA\xe2\x80\x99s major IT projects begin developing SSA\xe2\x80\x99s\nExhibits 300 for September submission to OMB.\n\nWe examined SSA's Exhibit 300 process and other related processes and reviewed the\nsupporting documents of the following SSA FY 2007 Exhibit 300 submissions to OMB.\n\n\xe2\x80\xa2         Financial Accounting System (FACTS) project provides for the operation and\n          maintenance of SSA\xe2\x80\x99s official accounting system, the Social Security Online\n          Accounting and Reporting System.\n\xe2\x80\xa2         Call Center Network Solution (Call Center) project replaces the current call center\n          for SSA\xe2\x80\x99s National 800 Network and provides for capability to handle increasing call\n          volumes.\n\xe2\x80\xa2         Information Technology Operations Assurance (Second Data Center) project\n          establishes a second data center to address the single point of failure risk of SSA\xe2\x80\x99s\n          current data center, National Computer Center.\n\nFor more methodology and background information, see Appendices B and C.\n\n\n\n\n3\n    OMB Circular A-11, Part 7, supra, Section 300.1, page 1.\n4\n  OMB Circular A-11, Part 7, supra, Section 300.4, page 3. \xe2\x80\x9cMajor investment means a system or\nacquisition requiring special management attention because of its importance to the mission or function of\nthe agency, a component of the agency or another organization; is for financial management and\nobligates more than $500,000 annually; has significant program or policy implications; has high executive\nvisibility; has high development, operating, or maintenance costs; is funded through other than direct\nappropriations; or is defined as major by the agency\xe2\x80\x99s capital planning and investment control process.\nOMB may work with the agency to declare other investments as major investments.\xe2\x80\x9d\n5\n    GAO-06-250, supra, see the report\xe2\x80\x99s Highlights.\n6\n    Id.\n\x0cPage 3 - The Commissioner\n\n\nRESULTS OF REVIEW\nOur review found several areas in the Exhibit 300 process that SSA could improve to\nincrease the reliability and accuracy of the Agency\xe2\x80\x99s submissions to OMB. Preparation\nof the Exhibit 300 is difficult and complex. SSA has leveraged its existing capital\nplanning and budgeting, financial accounting, and project management processes and\ndesigned a collaborated system for Exhibit 300 reporting. This system involves many\nlevels of reviews and requires extensive communication and cooperation among\nnumerous components at different organizational levels. In addition, SSA developed\ncapital programming policies and procedures that generally meet OMB\xe2\x80\x99s requirements\nfor project management and Exhibit 300 reporting.\n\nHowever, we noted several areas that SSA could improve to ensure the Agency\xe2\x80\x99s\nExhibit 300 submissions are based on accurate and reliable data and information. Well\nsupported and more accurate Exhibits 300 will enable OMB to make better decisions\nfor SSA\xe2\x80\x99s major IT projects. These areas were as follows.\n\n\xe2\x80\xa2     SSA Exhibits 300 did not always reflect best estimates of total project cost for its IT\n      projects.\n\xe2\x80\xa2     Alternatives Analyses were not always performed properly.\n\xe2\x80\xa2     There were weaknesses in SSA\xe2\x80\x99s security costs allocation process.\n\xe2\x80\xa2     Risk assessments were not always performed properly.\n\xe2\x80\xa2     SSA did not fully address some OMB Exhibit 300 questions.\n\nSSA\xe2\x80\x99S EXHIBITS 300 DID NOT ALWAYS REFLECT TOTAL PROJECT COSTS\n\nSSA\xe2\x80\x99s Exhibit 300 process did not ensure the total costs for its major IT projects were\nproperly estimated and reported in Exhibits 300 to OMB. We found certain cost data\nfor some of SSA\xe2\x80\x99s major IT projects were not accurately reflected or properly estimated\nin the Exhibits 300 to OMB. For example, for one of the three projects we reviewed, we\nfound $18.8 million in historical costs was not included in SSA\xe2\x80\x99s submission to OMB.\nThis amount is 14 percent of the total costs of the project currently reported to OMB.\n\nSSA Processes Focus on Short-term Costs Rather Than Long-term Resource\nNeeds\n\nFor each major IT project, agencies are required to provide the total estimated life-cycle\ncosts 7 (total costs) for the investment by completing the Summary of Spending for\nProject Phases table 8 (spending table). This table includes accumulated historical\ncosts and estimated costs for the project\xe2\x80\x99s current and future years. SSA\xe2\x80\x99s IT\n\n7\n Life-cycle costs of an asset are all direct and indirect costs, including planning, procurement, operating\nand decommissioning and disposal costs.\n8\n    OMB Circular A-11, Part 7, supra, Section 300, page 14.\n\x0cPage 4 - The Commissioner\n\n\nbudgeting process focuses more on the amount of funds expected to be available in the\nnear future for the projects. As a result, the total costs reported in SSA\xe2\x80\x99s Exhibit 300\nspending tables represent short-term (1-2 years) budget decisions rather than the\nlong-term resource needs. OCIO IT budget staff stated that the out-year 9 budgets are\ngenerally flat and serve as place holders. We found that the estimated costs in\nExhibits 300 represent the amounts approved by the OCIO. As a result, SSA\xe2\x80\x99s process\ndid not always ensure the costs reported in the Exhibits 300 represent the total\nresources needed to complete the project.\n\nWe found that estimated total costs for the Call Center project were based on an\nincomplete analysis. When SSA submitted the project budget to OMB, it had\ndeveloped estimated total costs for three viable investment alternatives but had not\ndecided which investment alternative to select. SSA used the highest priced alternative\nrather than the best ranked alternative as its basis for total costs estimation for the\nproject. In addition, cost estimates were based on a 2005 study that noted the costs for\nthe best ranked alternative were expected to drop sharply. As a result, the project\xe2\x80\x99s\nestimated total costs provided to OMB could be significantly different from the actual\nresources required to complete the project. SSA staff stated the scope of the project is\nstill subject to changes, and a budget based on the higher cost alternative would ensure\nthe project is not under-funded in the future.\n\nWe found omissions in the budget amount computation for the Exhibit 300 of one of the\nthree projects we reviewed. Costs for two planned tasks were not included for a project\nbecause of a manual error. 10 In 2007, SSA implemented a new process to better\naccount for total project costs. The process is still being refined and improved. SSA\nneeds to ensure the spending summaries reported in Exhibits 300 represent both\nbudget decisions and its best estimates for the total costs for the projects.\n\nWeaknesses in the Historical Costs Accumulation\n\nWe identified two weaknesses in the area of historical costs. First, in response to our\ninquiries about historical costs accumulation, SSA staff identified an issue that they\nwere not previously aware of with SSA\xe2\x80\x99s Exhibit 300 reporting and data maintenance\nsystem called the Electronic Capital Planning and Investment Control (eCPIC) System.\nThe system automatically dropped costs for years before 2001. For example, for SSA\xe2\x80\x99s\nFACTS, we found $18.8 million in historical costs for planning was dropped and\nexcluded as project costs. This amount represents 14 percent of total project costs\nreported to OMB and half of the planning cost of the project. SSA staff stated that this\nwas an issue with the software and was shared by other Federal agencies that used the\nsame software. The software administrators have resolved this issue. SSA will review\nits projects to ensure all dropped costs are recaptured in the system. SSA considered\nseveral alternatives before it selected eCPIC. According to SSA, eCPIC is the most\n\n9\n Out years are defined as the years after the current budget year. In September 2007, agencies\nsubmitted Exhibits 300 for the budget request for 2009, or budget year 2009.\n10\n     The total costs for FY 2007 through 2009 should have been 7, 9, and 14 percent higher, respectively.\n\x0cPage 5 - The Commissioner\n\n\neconomical solution among the alternatives considered. OMB recommended, but did\nnot require the use of, eCPIC for the Exhibit 300 submission solution.\n\nSecond, OMB requires that Federal agencies report estimated total life-cycle costs in\n                                                                        11\nthe Exhibits 300, including historical costs and future cost estimates. Each January,\nSSA revises all its Exhibits 300 to reflect prior year actual spending. This process\nensures the Exhibits 300 accumulate accurate historical costs. However, this process\ndoes not include SSA\xe2\x80\x99s Full-Time Equivalent (FTE) costs. SSA did not reflect the\naccurate level of costs spent in the prior years for the number of Government FTEs and\ntheir related costs. As a result, the historical costs for Government labor were not\naccurate.\n\nSome of the issues with total project costs may arise because of the nature of SSA\xe2\x80\x99s\nExhibit 300 process. SSA\xe2\x80\x99s IT capital planning covers only a 2-year period. SSA\xe2\x80\x99s\nExhibit 300 process is largely manual and uses data from various automated and\nnon-automated systems and processes that are not fully integrated. To capture all cost\nelements related to an individual Exhibit 300 project, SSA staff manually combines\ncomponent-level project data from various systems and data sources. This process is\nlabor-intensive. See Appendix C for details.\n\nTo improve SSA\xe2\x80\x99s Exhibit 300 process, SSA should further integrate its IT capital\nplanning, budgeting, project management and reporting systems with its Exhibit 300\nprocesses to minimize manual operations and adjustments. SSA also needs to ensure\nthat OMB\xe2\x80\x99s guidance is followed in an accurate and complete manner.\n\nALTERNATIVES ANALYSES WERE NOT ALWAYS PERFORMED PROPERLY\n\nIn selecting the best investment alternative for an IT project to improve current\nprocesses, OMB generally requires that agencies conduct cost-benefit analyses\n(CBA) 12 for three viable alternatives in addition to the current process. 13 OMB further\nrequires that agencies analyze, identify, and compare total costs and benefits for each\n                                                                         14\nalternative as well as the costs and benefits for the current operation. The results of\nthe comparison are to be reported to OMB in the Exhibit 300 for each major IT project.\nThe goal of the Alternatives Analysis is to promote efficient resource allocation through\nwell-informed decisionmaking by the Government. 15\n\n11\n     OMB Circular A-11, Part 7, supra, Section 300, page 14.\n12\n  The applicable OMB guidance uses the term benefit-cost analysis. However, throughout the\nGovernment and private industry, a benefit-cost analysis is referred to as a CBA. Therefore, for the\npurposes of this report, we refer to such an analysis as a CBA.\n13\n     OMB Circular A-11, Part 7, supra, Section 300, Exhibit 300 Part II, Section A, page 21.\n14\n     OMB Capital Programming Guide, Version 2.0, pages 17-18, June 2006.\n15\n OMB Circular A-94, Revised, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal\nGovernment, Section 1, page 1.\n\x0cPage 6 - The Commissioner\n\n\nThe Alternatives Analyses conducted for the Call Center and Second Data Center\nprojects were not properly performed, and both projects\xe2\x80\x99 related Exhibit 300 sections\nwere incomplete or not fully supported. Neither of the projects provided total cost and\nbenefit estimates for their current operating process.\n\nFor example, SSA did not estimate the total benefits of the three alternatives for the\nCall Center project, as required by OMB. Instead, SSA reported the cost differences\namong the three alternatives as the benefit values for the three alternatives. Below is a\nsummary of the Call Center project\xe2\x80\x99s Alternatives Analysis results.\n\n             Call Center Project Alternatives Analysis Results Summary\n Alternatives Analyzed          Total Estimated Costs     Total Estimated Benefits\n                                      (in millions)              (in millions)\n Alternative 1                            399                         0\n Alternative 2                            367                         32\n Alternative 3                            334                         65\n\nOMB recommends that agencies perform comprehensive analyses of different types of\nbenefits and attempt to quantify the benefits identified. 16 According to SSA, for the Call\nCenter project, it determined the total estimated benefits by calculating the differences\nbetween the total estimated costs rather than actually assessing the benefits of the\nspecific alternatives. For example, SSA determined the total estimated benefit for\nAlternative 2 of $32 million by calculating the difference between the total estimated\ncosts of Alternatives 1 and 2 ($399 million minus $367 million). In addition to the issues\nwith estimating project benefits, the Call Center project\xe2\x80\x99s total cost estimates for the\nthree alternatives were based on a 2005 study and susceptible to changes.\n\nFor the Second Data Center project, an Alternatives Analysis was not conducted in\naccordance with OMB guidance, and the estimated total costs and benefits reported in\nthe Exhibit 300 were not fully supported by the documentation SSA provided. SSA\nconducted a cost-effectiveness analysis (CEA) instead of a CBA for the alternatives it\nidentified for the Second Data Center Project. OMB allows the use of CEA when\nexpected benefits are the same for all investment alternatives identified. 17 A CEA\ncompares only the total costs of the competing investment alternatives. An alternative\n\n\n\n\n16\n     OMB Circular A-94, supra, Sections 5.a.1 and 2.\n17\n  OMB Circular A-94, supra, Section 5, indicates that a CBA is recommended as the technique to use in a\nformal economic analysis of Government programs or projects. CEA is a less comprehensive technique,\nbut it can be appropriate when the benefits from competing alternatives are the same or where a policy\ndecision has been made that the benefits must be provided. Section 5.b. indicates that a CEA analysis is\nappropriate whenever it is unnecessary or impractical to consider the dollar value of benefits provided by\nthe alternative under consideration. This is the case when (1) each alternative has the same annual\nbenefits expressed in monetary terms or (2) each alternative has the same annual affects, but dollar\nvalues cannot be assigned to their benefits.\n\x0cPage 7 - The Commissioner\n\n\nis cost-effective if it has the lowest costs among the competing investment alternatives\nthat provide the same benefits. 18 On the other hand, a CBA compares net benefits\n(benefits minus costs) among competing investment alternatives.\n\nThe Second Data Center project is not a case that lends itself to use a CEA. SSA\xe2\x80\x99s\nanalysis considered a fully functional second data center and a fully configured\nhot-site 19 as providing the same benefits. These two scenarios, by definition, do not\nprovide the same benefits. For example, the Second Data Center option would provide\nextra workload capacity throughout the year for routine operations. A hot-site only\nprovides coverage during a disaster recovery period.\n\nAdequately prepared Alternatives Analyses are crucial for both SSA and OMB to make\nsound IT investment decisions. SSA needs to ensure Alternatives Analyses are\nperformed according to OMB Circular A-94 and the analyses are properly documented\nfor all major IT investments.\n\nThe Agency agreed with and began addressing our suggestions. SSA developed and\nconducted new Alternatives Analysis training. The new training materials and detailed\nAlternatives Analysis template generally met OMB\xe2\x80\x99s requirement for Alternatives\nAnalysis.\n\nWEAKNESSES IN SECURITY COSTS ALLOCATION PROCESS\n\nOur review found weaknesses in how security costs were allocated to individual\nprojects. OMB requires that agencies identify project-specific IT security costs and\nintegrate these costs into the overall costs of investment. 20 For security management\nactivities that support multiple applications, agencies should allocate the related costs\nto the impacted applications.\n\nSSA has generally integrated project-specific security costs into the overall costs of its\ninvestment projects. SSA also allocates enterprise security costs 21 to individual\nprojects according to the number of workstations impacted by the individual projects.\nHowever, SSA management determines the basis of the allocation method, the\nnumbers of impacted workstations by the projects, without proper support. For\nexample, we found that OCIO determined there were 10,000 workstations (or users)\nimpacted by 1 project. However, the system the project supported had only about\n\n18\n     OMB Circular A-94, supra, Section 5.b.\n19\n   A hot-site is defined by the analysis as an alternate facility that has all the computer,\ntelecommunications, and environmental infrastructure required to recover critical business functions or\ninformation after a disaster.\n20\n   OMB Circular A-130, Revised, Management of Federal Information Resources, Section 8.b(3),\nNovember 2000 and OMB Circular A-11, Part 2, Section 300, page 17, question 1, July 2007.\n21\n   These costs include costs for authentication, physical security enhancement, security infrastructure\nprotection, contractor services, and SSA\xe2\x80\x99s in-house IT security personnel costs, totaling $23.6 million for\nBudget Year 2009.\n\x0cPage 8 - The Commissioner\n\n\n1,500 direct and indirect users according to the project management team. To ensure\nSSA accurately allocates security costs, we suggest SSA use the most accurate\ninformation available.\n\nSSA has included system- or application-specific costs in the cost pool for allocation.\nWe found that the Certification and Accreditation (C&A) costs were not being directly\ncharged to specific projects but allocated to all projects. OMB requires that agencies\nperform C&As at least every 3 years or when significant changes are made for Federal\n                       22\ninformation systems. SSA conducted C&As for 13 major applications and systems in\nFY 2007. Some of the C&As were directly traceable to SSA\xe2\x80\x99s Exhibit 300 projects,\nsuch as FACTS, SSA Unified Measurement System and Title II Redesign, but these\ncosts were still included in the allocation pool and distributed to all projects as\nenterprise security costs. As a result, the security costs allocated to individual projects\nwere not as accurate as they should have been. SSA should only allocate costs for\nsecurity activities that support multiple applications and systems.\n\nRISK MANAGEMENT\n\nWe found that SSA did not complete the risk assessments per OMB criteria. OMB\nrequires that agencies perform a risk assessment at the initial stage of a project and\n                                                                                    23\ndemonstrate active management of the risks throughout the life of the investment.\nRisk assessment must include 19 mandatory risk elements, such as schedule, costs,\ntechnology obsolescence, security, and project resources for IT investments. Agencies\nmust discuss these risks and present plans to eliminate, mitigate, or manage them, with\nmilestones and completion dates. 24\n\nSSA has established risk management policies and procedures for its IT projects.\nHowever, the policies and procedures were not consistently followed. We found the\nfollowing risk management weaknesses for the projects we reviewed.\n\n\xe2\x80\xa2     The FACTS project had a risk management plan that addressed the mandatory risk\n      elements. However, the plan had not been updated since it was initially completed\n      in FY 2005.\n\xe2\x80\xa2     The Second Data Center project team provided a repository of technical issues as\n      the project\xe2\x80\x99s risk management plan. However, it did not address critical risk\n      elements required by OMB.\n\nThe Second Data Center project is one of the high-risk projects SSA reports to OMB.\nThe project\xe2\x80\x99s progress was delayed because the planned occupation of the facility was\n\n22\n OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security\nManagement Act, page 10, August 2004.\n23\n     OMB Circular A-11, Part 7, supra, Section 300, Part III, Section A, page 24, July 2007.\n24\n  OMB Circular A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets,\nSection 300, page 25, June 2005.\n\x0cPage 9 - The Commissioner\n\n\ndelayed by more than 1 year. When the project started, SSA should have had plans to\nhandle risks related to such delays, as required by OMB for risk management. The risk\nmanagement plan should have been documented and updated and used to adjust\nproject cost estimates accordingly. SSA needs to ensure all projects comply with\nOMB\xe2\x80\x99s risk management requirements and its own policy.\n\nADDRESSING EXHIBIT 300 QUESTIONS\n\nSSA did not always fully address all the Exhibit 300 questions and requirements. OMB\nuses the Exhibit 300 questions as a management tool. OMB relies on the accuracy and\nreliability of the Exhibits 300 to make budget and management decisions. OMB\nrequires that information reported in Exhibit 300 be supported by documentation and\n                                                   25\nsupporting documents be available upon request.\n\nFor example, certain responses to the questions were unsupported. One of the three\nExhibit 300 projects we reviewed reported wrong percentage breakdowns of funding\nrequests for hardware, software and services for FY 2009. One project used\nperformance measures that were not measurable or were difficult to link to the\nAgency\xe2\x80\x99s goal. OMB requires that performance measures be both measurable and\nlinked to Agency goals. 26 We found that SSA\xe2\x80\x99s response and statement of its\n                                                                                27\ncompliance with earned value management standards was not fully supported, and\nwe identified a number of errors and omissions in the related Exhibit 300 section.\n\nSSA\xe2\x80\x99s Exhibit 300 process includes four phases of review and revision. However, this\nprocess needs to be improved to better prevent errors and ensure all answers are\nsupported with documentation. This will help to improve the quality and integrity of the\nExhibit 300. OMB has established a scoring method and has linked funding decisions\nwith the quality of agencies\xe2\x80\x99 Exhibit 300 submissions. SSA needs to implement controls\nto ensure its Exhibits 300 are free of errors and supported with complete\ndocumentation.\n\nCONCLUSION AND RECOMMENDATIONS\nThe Exhibits 300 are required by OMB to determine what funds to provide SSA for its IT\nprojects. We noted several areas in the process that SSA could improve to increase\nthe reliability and accuracy of SSA's Exhibit 300 submissions to OMB.\n\n\n25\n     OMB Circular A-11, Part 7, supra, Section 300.8, page 9, July 2007.\n26\n     OMB Circular A-11, Part 7, supra, page 16.\n27\n   SSA has not conducted a compliance review or annual surveillance reviews as required by OMB to be\nfully compliant with OMB earned value management requirements. See OMB Memorandum M-5-23,\nImproving Information Technology (IT) Project Planning and Execution, August 2005, for related guidance.\nIn addition, SSA has not fully addressed the recommendations from our prior audit, The Social Security\nAdministration\xe2\x80\x99s Implementation of Earned Value Management Systems, (A-14-06-26085), September\n2006.\n\x0cPage 10 - The Commissioner\n\n\nSSA has leveraged its existing capital planning and budgeting, financial accounting,\nand project management processes and designed a collaborative system for\nExhibit 300 reporting. This system involves many levels of reviews and requires\nextensive communication and cooperation among components at different\norganizational levels.\n\nOur audit identified weaknesses and errors in different areas of SSA\xe2\x80\x99s Exhibit 300\nprocess that could be strengthened and improved. Specifically, (1) SSA\xe2\x80\x99s Exhibit 300\ndid not always reflect best estimates of total project costs; (2) its Alternatives Analyses\nwere not always performed and documented properly; (3) there were weaknesses in its\nsecurity cost allocation process; (4) its risk management was not always performed\nproperly; and (5) it did not always fully address some OMB Exhibit 300 questions.\n\nBased our on review, we recommend that SSA:\n\n1. Use the most accurate data and estimates available to prepare its Exhibits 300.\n2. Ensure its summaries of spending for Exhibits 300 represent both budget decisions\n   and its best estimates for the total costs for the IT projects.\n3. Further integrate and automate its IT capital planning, budgeting, project\n   management and reporting systems and processes to minimize manual operations\n   and adjustments.\n4. Conduct and document Alternatives Analyses according to Federal standards for all\n   projects.\n5. Allocate costs for security activities that support multiple applications and systems in\n   an accurate and complete manner.\n6. Comply with OMB\xe2\x80\x99s risk management requirements and its own policy for all\n   projects.\n7. Implement controls to ensure its Exhibits 300 are free of errors and supported with\n   complete documentation.\n\n\nAGENCY COMMENTS\nSSA agreed with all of our recommendations. The Agency also provided technical\ncomments, which we considered and addressed as appropriate. See Appendix D for\nthe text of SSA\xe2\x80\x99s comments.\n\n\n\n\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Background\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                               Appendix A\n\nAcronyms\nC&A                  Certification and Accreditation\nCall Center          Call Center Network Solution\nCBA                  Cost-Benefit Analysis\nCEA                  Cost-Effectiveness Analysis\nCIO                  Chief Information Officer\neCPIC                Electronic Capital Planning and Investment Control System\nFACTS                Financial Accounting System\nFTE                  Full Time Equivalent\nFY                   Fiscal Year\nIT                   Information Technology\nITAB                 Information Technology Advisory Board\nIT Budget            Information Technology Systems Budget\nOCIO                 Office of the Chief Information Officer\nOIG                  Office of the Inspector General\nOMB                  Office of Management and Budget\nOS                   Office of Systems\nSecond Data Center   Information Technology Operations Assurance\nSpending Table       Summary of Spending for Project Phases Table\nSSA                  Social Security Administration\nTotal Costs          Life-Cycle Costs\n\x0c                                                                       Appendix B\n\nScope and Methodology\nThe objective of our review was to determine whether the Social Security Administration\n(SSA) Exhibit 300 submissions to the Office of Management and Budget (OMB) for its\nInformation Technology (IT) projects were based on reliable and accurate data and\ninformation. Specifically, we evaluated the reliability and accuracy of SSA\xe2\x80\x99s Exhibit 300\nsubmissions to OMB.\n\nTo meet the objective of this audit, we reviewed relevant Federal laws, regulations and\nguidance. We reviewed SSA\xe2\x80\x99s IT capital planning and budgeting and Exhibit 300\npreparation processes. We reviewed and examined SSA policies, procedures,\npractices, internal controls and documentation, and conducted interviews with relevant\nSSA personnel as it related to Exhibit 300 submissions.\n\nWe reviewed the following Federal laws, regulations, and guidance:\n\n\xe2\x80\xa2   OMB Circular A-11, Part 2: Preparation and Submission of Budget Estimates,\n    Section 53, Information Technology and E-government, and Part 7, Section 300:\n    Planning, Budgeting, Acquisition and Management of Capital Assets, June 2005\n    and July 2007;\n\xe2\x80\xa2   OMB Capital Programming Guide Version 2.0, June 2006;\n\xe2\x80\xa2   OMB Circular A-94, Revised, Guidelines and Discount Rates for Benefit-Cost\n    Analysis of Federal Programs, October 29, 1992;\n\xe2\x80\xa2   OMB Memorandum M-05-23, Improving Information Technology (IT) Project\n    Planning and Execution, August 4, 2005;\n\xe2\x80\xa2   OMB Memorandum M-04-19, Information Technology (IT) Project Manager (PM)\n    Qualification Guidance, July 21, 2004; and\n\xe2\x80\xa2   Federal Acquisition Regulation 7.105, Contents of written acquisition plans.\n\nWe reviewed SSA policies, procedures, and documents, including the following:\n\n\xe2\x80\xa2   SSA OMB Exhibit 300 preparation instruction package for FY 2007 submission;\n\xe2\x80\xa2   SSA Target Information Technology (IT) Capital Planning and Investment Control\n    Process (CPIC) Guide;\n\xe2\x80\xa2   Related IT Budget Justifications and Exhibits 3 and Office of Chief Information\n    Officer (OCIO) review summaries related to the three projects selected for review;\n\xe2\x80\xa2   SSA\xe2\x80\x99s worksheets and data files for Exhibit 300 project cost calculations for Fiscal\n    Years 2007 to 2009;\n\n\n                                            B-1\n\x0c\xe2\x80\xa2   SSA\xe2\x80\x99s allocation worksheets for Agency-Wide Support Services Contract;\n\xe2\x80\xa2   SSA Information Technology Advisory Board meeting materials and minutes;\n\xe2\x80\xa2   Alternatives Analysis reports for projects selected for review; and\n\xe2\x80\xa2   Other supporting documents and data for the Exhibits 300 for the projects selected\n    for review.\nWe contacted or interviewed SSA staff in the following components:\n\n\xe2\x80\xa2   OCIO, Office of Information Technology Investment Management;\n\xe2\x80\xa2   Office of Systems (OS), Budget Staff;\n\xe2\x80\xa2   OS, Earned Value Management Program Management Office;\n\xe2\x80\xa2   OS, Office of Telecommunications and Systems Operations;\n\xe2\x80\xa2   Office of the Chief Strategic Officer, Office of Chief Strategic Management; and\n\xe2\x80\xa2   Office of Budget, Finance and Management, Office of Financial Policy and\n    Operations, Office of Financial and Administrative Systems.\n\nOur audit focused on SSA\xe2\x80\x99s 2007 Exhibit 300 submissions to OMB. SSA had\n13 projects that required preparing and reporting an Exhibit 300. OMB requires the\ncompletion of different parts of Exhibit 300 for projects in different life-cycle stages. To\nensure our audit properly covered different areas of OMB Exhibit 300, we examined a\nsample of three major IT projects that SSA submitted Exhibits 300 to OMB in\nSeptember 2007. Each of the projects selected was at a different life-cycle stage. The\nthree projects were\n\n\xe2\x80\xa2   Financial Accounting System (FACTS);\n\xe2\x80\xa2   Call Center Network Solution (Call Center); and\n\xe2\x80\xa2   Information Technology Operations Assurance (Second Data Center).\n\nAmong the 13 projects, SSA had only 1 new project, the Call Center, and 1 operating\nproject, FACTS. There was 1 discontinued project and 10 mixed life-cycle projects.\nWe selected the Second Data Center project among the 10 projects by considering the\nrisks and costs involved of each individual project. For each of the three projects, we\nreviewed and examined the related Exhibits 300 dated September 10, 2007 and the\nsupporting documents and data.\n\n\n\n\n                                            B-2\n\x0cOur audit scope was limited to the determination of whether accurate and reliable data\nwere used and whether SSA\xe2\x80\x99s responses to Exhibit 300 questions were supported with\nproper documentation. We did not examine the underlying processes that generated\nthe data or the documentation. For example, we did not examine SSA's Earned Value\nManagement System and process or cost-benefit analysis process.\n\nWe conducted this audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives. We\nconducted our field work at SSA Headquarters in Baltimore, Maryland, from\nOctober 2007 through March 2008.\n\n\n\n\n                                          B-3\n\x0c                                                                                Appendix C\n\nBackground\nOFFICE OF MANAGEMENT AND BUDGET EXHIBIT 300\n\nFederal agencies are required to effectively manage their capital assets to ensure\n                                             1\nscarce public resources are wisely invested. The Office of Management and Budget\n(OMB) plays a central role in determining the amount the Government plans to spend\nfor information technology (IT) and how these funds are allocated. A key component of\nOMB\xe2\x80\x99s management and oversight of the IT budget process is the Capital Asset Plan\nand Business Case, also known as the Exhibit 300. OMB designed the Exhibit 300 as\nthe one-stop document for many IT management issues, such as business cases for\ninvestments, IT security reporting, Clinger-Cohen Act implementation, E-Gov Act\n                                                                                   2\nImplementation, agencies\xe2\x80\x99 modernization efforts and overall investment management.\n\nEach year, Federal agencies submit Exhibits 300 to OMB for budget justification and to\nsatisfy reporting requirements for all major IT investments. The Exhibit\xe2\x80\x99s content should\nreflect controls that agencies have established to ensure good project management, as\nwell as showing they have defined cost, schedule, and performance goals. OMB relies\non the accuracy and completeness of the information reported in the Exhibits 300.\n\nExhibits 300 submitted at the end of Fiscal Year (FY) 2007 were for a FY 2009 budget\nrequest. For FY 2007 submitted Exhibits 300, FY 2007 was the prior year, FY 2008\nwas the current year and FY 2009 was the budget year.\n\nSOCIAL SECURITY ADMINISTRATION PROCESSES RELATED TO EXHIBIT 300\nPREPARATION\n\nThe Social Security Administration (SSA) leveraged its existing capital planning and\nbudgeting, financial accounting, and project management processes and designed a\ncollaborated system for Exhibit 300 reporting. This system involves many levels of\nreview and requires extensive communication and cooperation among components at\ndifferent organizational levels.\n\nSSA\xe2\x80\x99s Exhibit 300 preparation and review process integrates the decisions and results\nof its IT capital planning and budgeting processes. SSA has separate processes for\nplanning IT staff resources and other IT costs such as hardware, software and services\n\n\n\n1\n OMB Circular A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets,\nSection 300.3, page 2, July 2007.\n2\n    OMB Circular A-11, Part 7, supra., Section 300.6, page 6.\n\n\n                                                     C-1\n\x0cacquired outside the Agency. Many supporting documents for Exhibits 300 are\ngenerated during these processes. SSA uses data from various systems and sources\nin the Exhibit 300 preparation process.\n\nThe Information Technology Advisory Board Process\n\nThe planning process for IT staff resources is governed by SSA\xe2\x80\x99s Information\nTechnology Advisory Board (ITAB). The Agency\xe2\x80\x99s ITAB is chaired by the Chief\nInformation Officer (CIO), and its membership is comprised of the Deputy\nCommissioner for SSA, all Deputy Commissioners for the business components, as\nwell as other Agency executives.\n\nIT proposals by SSA components are first prioritized according to their importance in\nachieving SSA\xe2\x80\x99s goals. The Office of Systems (OS) then consolidates these prioritized\nIT projects with IT staff resource estimates to propose to ITAB an Agency IT Systems\nPlan covering 2 FYs. The CIO-chaired ITAB reviews these projects and reaches\nagreement on the allocation of IT staff and contractor resources on a component\nproject level. During the July 2007 ITAB meeting, SSA\xe2\x80\x99s FYs 2007 and 2008\nallocations of OS staff and contractor work years were approved and allocated to\nindividual projects.\n\nInformation Technology Systems Budgeting Process\n\nThe Information Technology Systems budget (IT budget) includes hardware, software,\nand services. OS issues an IT budget call to all SSA components at the beginning of\neach FY. Components prepare IT Budget Justifications with detailed budget estimates\nfor the next 6 years and submit them to OS for review. OS in turn submits all IT budget\nrequests with its recommendation to the Office of the CIO (OCIO) for funding approval.\nOCIO staff reviews the IT budget requests and provides funding recommendations to\nthe CIO for his final IT budget recommendations to SSA\xe2\x80\x99s Commissioner.\n\nSSA\xe2\x80\x99s Exhibit 300 Preparation Process\n\nSSA\xe2\x80\x99s OCIO and OS manage and lead its Exhibit 300 preparation and review process.\nSSA\xe2\x80\x99s Exhibit 300 preparation and review process integrates the decisions of its IT\ncapital planning and budgeting processes.\n\nOCIO and OS work together to provide assistance, guidance and training to project\nmanagement teams that are directly responsible for Exhibit 300 preparation. Each\nMay, project management teams from SSA\xe2\x80\x99s major IT projects begin developing SSA\xe2\x80\x99s\nExhibits 300 for the September submission to OMB. In the beginning of the Exhibit 300\nprocess, OCIO and OS send out detailed preparation instructions and guidance;\nprovide expertise support; and provide OMB guidance updates and training to project\nteams. In addition, OCIO and OS conduct four runs of review and discussion sessions\nfor each of the Exhibit 300 projects before OMB submission.\n\n\n\n                                          C-2\n\x0cSystems and Data Sources for Exhibit 300 Preparation Process\n\nSSA\xe2\x80\x99s Exhibit 300 process uses data and inputs from a variety of systems and sources.\nThese include the financial accounting system, capital planning and budgeting systems,\nproject management systems and manually maintained worksheets and data records.\nFor example, to provide data to the Summary of Spending for Project Phases table of\nExhibit 300 (spending table), OCIO budget staff use and refer to the following data from\ndifference sources, including\n\n\xe2\x80\xa2 actual expenditure data from Social Security Online Accounting and Reporting\n  System, SSA\xe2\x80\x99s official accounting system;\n\xe2\x80\xa2 actual OS labor hours from Resources Accounting System;\n\xe2\x80\xa2 planned work years for approved OS work years and contractor work years from\n  Systems Planning and Reporting System;\n\xe2\x80\xa2 manually maintained records of approved budgets for Information Technology\n  System budgets;\n\xe2\x80\xa2 manually maintained allocation worksheets for security costs and some contractor\n  services;\n\xe2\x80\xa2 non-Systems labor work years from separately provided data files;\n\xe2\x80\xa2 budget information from Automated Procurement Requisition System;\n\xe2\x80\xa2 historical data from Electronic Capital Planning and Investment Control; an\n  application used for OMB Exhibit 300 preparation and records keeping; and\n\xe2\x80\xa2 Earned Value Management reports.\n\nOCIO IT budget staff conducts intensive manual inputs, matching and adjustments to\nplace the right amounts to the right projects and to the right year. This information is\nmanually maintained and updated in an Excel file that calculates the numbers for the\nExhibit 300 spending table of a project.\n\n\n\n\n                                           C-3\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 11, 2008                                                    Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Executive Counselor to the Commissioner\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cReliability and Accuracy of the Social\n           Security Administration\xe2\x80\x99s Exhibit 300 Submissions to the Office of Management and Budget\xe2\x80\x9d\n           (A-14-08-18018)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Attached is our response to the\n           recommendations.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n                                                         D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cRELIABILITY AND ACCURACY OF THE SOCIAL SECURITY\nADMINISTRATION\xe2\x80\x99S EXHIBIT 300 SUBMISSIONS TO THE OFFICE OF\nMANAGEMENT AND BUDGET\xe2\x80\x9d (A-14-08-18018)\n\nThank you for the opportunity to review and provide comments on this draft report.\n\nRecommendation 1\n\nUse the most accurate data and estimates available to prepare Exhibits 300.\nComment\n\nWe agree in principle. Clearly Exhibits 300 should contain the most accurate data and estimates\navailable at the time they are prepared. In practice, the workyear and information technology (IT)\nsystems data we use are based on the Information Technology Advisory Board (ITAB) decisions\nmade in late July or early August. We then make adjustments as a result of management or\nOffice of Management and Budget (OMB) decisions through January updates to OMB. The\nexamples OIG cites reflect software and clerical errors that we corrected upon discovery. We\xe2\x80\x99ve\nadded reviews to help ensure we discover and correct these types of errors in a timely manner.\nThe audit report also cites an instance where estimates were based on the most expensive\nalternative rather than the one selected. However, we believe this was a valid risk-mitigating\nbusiness decision.\n\nRecommendation 2\n\nEnsure summaries of spending for Exhibits 300 represent both budget decisions and best\nestimates for the total costs for IT projects.\nComment\n\nWe agree in principle. The purpose of the Exhibit 300 is to justify project funding through the\nPresident\xe2\x80\x99s budget year. OMB guidance (Circular A-11, Section 330.8) states, \xe2\x80\x9cThe Exhibit 300\nis one component of your agency\xe2\x80\x99s total performance budget justification\xe2\x80\xa6 OMB uses the\nExhibit 300 to make both quantitative decisions about budgetary resources consistent with the\nAdministration\xe2\x80\x99s program priorities and qualitative assessments about whether the agency\xe2\x80\x99s\nprogramming processes are consistent with OMB policy and guidance.\xe2\x80\x9d OMB specifically\nconsiders resource estimates beyond the budget year request to be for planning purposes only.\nOMB makes it clear that the emphasis of the Exhibit 300 is on the budget planning timeframe,\nthough our practice was always to use the best estimates available for years beyond the budget\nyear. However, it is the prerogative of ITAB to define the scope of major investments through its\ndecisions. It would be inappropriate for any other agency to define initiatives beyond the\nstanding ITAB decisions. In cases where we establish scope (e.g. major contract-driven initiative\nsuch as the Telephone Systems Replacement Project), outyear spending patterns are well defined\n\n\n\n\n                                               D-2\n\x0cand reflected in the Exhibit 300, but given the volatility of our project environment (new\nlegislation, new directives, competing priorities, etc.) it is difficult to accurately predict these\ncosts.\n\nRecommendation 3\n\nFurther integrate and automate IT capital planning, budgeting, project management and reporting\nsystems and processes to minimize manual operations and adjustments.\n\nComment\n\nWe agree. We have an ongoing effort to refine and enhance our IT capital planning, budgeting,\nproject management, and reporting processes. We expect it to continue. We will continue to\nlook for ways to improve in this area. We do not necessarily agree that automation is the answer.\nWhile we have various automation initiatives underway, we believe it is more a process\nintegration issue than an automation issue.\n\nRecommendation 4\n\nConduct and document the Alternatives Analysis according to Federal standards for all projects.\n\nComment\n\nWe agree. We should improve the way we conduct Alternatives Analyses. Earlier this year, we\ncontracted with Booz-Allen-Hamilton (BAH) to conduct Alternatives Analysis training for all\nOMB 300 project managers. All project managers now use a template provided by BAH as a\nguide for developing and documenting their Alternatives Analysis. Currently BAH either\nprepares or reviews all Alternatives Analyses.\n\nRecommendation 5\n\nAllocate costs for security activities that support multiple applications and systems in an accurate\nand complete manner.\n\nComment\n\nWe agree. We believe we account for security costs accurately and agree with the\nrecommendation regarding the distribution of certification and accreditation costs. We attribute\nProject-specific security costs to the projects to which they apply. We also distribute Enterprise-\nlevel security costs by a formula that uses the estimated number of workstations affected by each\nmajor project. We frequently revise workstation estimates as better information becomes\navailable.\n\n\n\n\n                                                  D-3\n\x0cRecommendation 6\n\nComply with OMB\xe2\x80\x99s risk management requirements and our policy for all projects.\n\nComment\n\nWe agree in principle. We monitor each Exhibit 300 for compliance and require risk\nmanagement plans. The audit report cites two projects that lacked risk management plans. The\nInformation Technology Operations Assurance (Second Data Center) had a risk management\nplan, but it was lacking some critical risk factors. In January 2008, we corrected the projects\nprior to the resubmission of the Exhibit 300 to OMB. The other project, Financial Accounting\nSystem (FACTS), had a risk management plan. Our review of the plan was done timely. The\nfact that no changes were necessary (it is a steady-state project) may not have been clearly\ncommunicated.\n\nRecommendation 7\n\nImplement controls to ensure Exhibits 300 are free of errors and supported with complete\ndocumentation.\n\nComment\n\nWe agree in principle. As your report recognizes that we already have controls in place, we infer\nthat your recommendation refers to improving our existing controls. At the conclusion of each\nannual Exhibit 300 development process, we conduct lessons-learned sessions and implement the\nbest ideas from these sessions. For example, earlier this year we began a SharePoint site for\ncollecting all artifacts required to support the Exhibit 300s. We also agree with the audit finding\nregarding the lack of compliance reviews or annual surveillance reviews. Lack of funding\nprevents us from carrying out this OMB requirement.\n\n\n\n\n[In addition to the information listed above, SSA also provided technical comments\nwhich have been considered and addressed where appropriate, in this report.]\n\n\n\n\n                                               D-4\n\x0c                                                                     Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Information Technology Audit Division, (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Information Technology Division, (410) 965-9719\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Grace Chi, Auditor-in-Charge\n\n   Tina Nevels, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-08-18018.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                 Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                           Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                          Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"